Computer Crime

Copyright 1999, 2002 by Ronald B. Standler

Table of Contents

1. Unauthorized use of computer
          Altering Websites
          Denial of Service (DoS) Attacks
2. Malicious computer programs
          Common, but Unacceptable, Justifications for Malicious Programs
3. Harassment & Stalking
4. Weak punishment in USA
5. Computer crime statutes in USA
6. Sue criminals in tort


There are no precise, reliable statistics on the amount of computer crime and the economic loss to victims, partly because many of these crimes are apparently not detected by victims, many of these crimes are never reported to authorities, and partly because the losses are often difficult to calculate. Nevertheless, there is a consensus among both law enforcement personnel and computer scientists who specialize in security that both the number of computer crime incidents and the sophistication of computer criminals is increasing rapidly. Estimates are that computer crime costs victims in the USA at least US$ 5×108/year, and the true value of such crime might be substantially higher. Experts in computer security, who are not attorneys, speak of "information warfare". While such "information warfare" is just another name for computer crime, the word "warfare" does fairly denote the amount of damage inflicted on society.

I have posted a separate document, Tips for Avoiding Computer Crime, which includes suggestions for increasing the security and reliability of personal computers, as well as links to websites on computer viruses, computer crime, and anti-virus and firewall software.

Two comments on word usage in this essay:
  1. I normally write in a gender neutral way, but here I use the masculine pronoun for computer criminals, because (1) female computer criminals are rare and (2) I can't imagine a feminist attacking me because I deny equal recognition to women criminals. <grin>

  2. To some professional computer programmers, the word "hacker" refers to a skilled programmer and is neither pejorative nor does it refer to criminal activity. However, to most users of English, the word "hacker" refers to computer criminals, and that is the usage that I have adopted in this essay.

I originally wrote this essay in May 1999. I do not have the spare time that would be required for a thorough search and analysis of reported cases and statutes on computer crime, as well as newspaper accounts (most criminal proceedings are resolved without generating any judicial decision that is reported in legal databases or books), so my revisions are mostly generalizations.

new crimes in cyberspace

There are three major classes of criminal activity with computers:
  1. unauthorized use of a computer, which might involve stealing a username and password, or might involve accessing the victim's computer via the Internet through a backdoor operated by a Trojan Horse program.

  2. creating or releasing a malicious computer program (e.g., computer virus, worm, Trojan Horse).

  3. harassment and stalking in cyberspace.

old crimes

When lay people hear the words "computer crime", they often think of obscene pictures available on the Internet, or solicitation of children for sex by pedophiles via chat rooms on the Internet. The legal problem of obscenity on the Internet is mostly the same as the legal problem of obscenity in books and magazines, except for some technical issues of personal jurisdiction on the Internet. I have discussed obscenity on the Internet in my May 1997 essay on law & technology and I have nothing further to say about obscenity in this essay on computer crime.

Similarly, many crimes involving computers are no different from crimes without computers: the computer is only a tool that a criminal uses to commit a crime. For example,
In contrast to merely using computer equipment as a tool to commit old crimes, this essay is concerned with computer crimes that are new ways to harm people.

false origin

There are many instances of messages sent in the name of someone who neither wrote the content nor authorized the sending of the message. For example:
  1. E-mails with bogus From: addresses were sent automatically by malicious programs (e.g., the Melissa virus in 1999, the BadTrans worm in 2001, the Klez program in 2002).

  2. Posting messages in an Internet newsgroup or online bulletin board with a false author's name that is intended to harm the reputation of the real person of that name.
These acts might be punishable by existing criminal statutes that prohibit impersonation, forgery, deceit, or fraud. However, a judge might decide that the specific language in old statutes about writing or signature does not apply to e-mail. Rather than write new statutes for forged e-mail addresses or unauthorized sending of e-mail in someone else's name, I would prefer that legislatures broaden the existing criminal statutes for analogous crimes with paper and ink.

Similar issues arise in both: (1) fictitious From: addresses in some unsolicited commercial e-mail, also called spam or junk e-mail, and (2) fictitious source IP addresses in denial of service attacks.

1. Unauthorized Use

Unauthorized use of computers tends generally takes the following forms:
  1. Computer voyeur. The criminal reads (or copies) confidential or proprietary information, but data is neither deleted nor changed.

    In 1999, the Melissa virus infected a [possibly confidential] document on a victim's computer, then automatically sent that document and copy of the virus via e-mail to other people. Subsequently, the SirCam and Klez malicious programs made a similar release of [possibly confidential] documents from a victim's computer. These malicious programs are a new way to release confidential information from a victim's computer, with the confidential information going not to the author of the malicious program, but to some person unknown to the author of the malicious program.

  2. Changing data. For example, change a grade on a school transcript, add "money" to a checking account, etc. Unauthorized changing of data is generally a fraudulent act.

  3. Deleting data. Deleting entire files could be an act of vandalism or sabotage.

  4. Denying service to authorized users. On a modern time-sharing computer, any user takes some time and disk space, which is then not available to other users. By "denying service to authorized users", I mean gobbling unreasonably large amounts of computer time or disk space, for example:
    1. by sending large amounts of junk e-mail in one day, a so-called "mail bomb",
    2. by having the computer execute a malicious program that puts the processing unit into an infinite loop, or,
    3. by flooding an Internet server with bogus requests for webpages, thereby denying legitimate users an opportunity to download a page and also possibly crashing the server. This is called a denial of service (DoS) attack.

During 1950-1975, computer programs and data were generally stored on cardboard cards with holes punched in them. If a vandal were to break into an office and either damage or steal the punch cards, the vandal could be adequately punished under traditional law of breaking and entering, vandalism, or theft.

However, after about 1975, it became common to enter programs and data from remote terminals (a keyboard and monitor) using a modem and a telephone line. This same technology allowed banks to retrieve a customer's current balance from the bank's central computer, and merchants to process credit card billing without sending paper forms. But this change in technology also meant that a criminal could alter data and programs from his home, without physical entry into the victim's building. The traditional laws were no longer adequate to punish criminals who used computer modems.

Most unauthorized use of a computer is accomplished by a person in his home, who uses a modem to access a remote computer. In this way, the computer criminal is acting analogous to a burglar. The classic definition of a burglary is:
the breaking and entering of a building with the intent to commit a felony therein.
In traditional burglaries, the felony was typically larceny, an unlawful taking of another person's property. However, in the unauthorized use of another's computer, the criminal "enters" the computer via the telephone lines, which is not breaking into the building. Either the burglary statute needed to be made more general or new criminal statute(s) needed to be enacted for unauthorized access to a computer. Legislatures chose to enact totally new statutes.

To successfully use a remote computer, any user (including criminals) must have both a valid user name and valid password. There are several basic ways to get these data:
  1. Call up a legitimate user, pretend to be a system administrator, and ask for the user name and password. This sounds ridiculous, but many people will give out such valuable information to anyone who pretends to have a good reason. Not only should you refuse to provide such information, but please report such requests to the management of the online service or the local police, so they can be alert to an active criminal.
  2. Search user's offices for such data, as many people post their user name and password on the side of their monitor or filing cabinet, where these data can be conveniently seen.
  3. Write a program that tries different combinations of user names and passwords until one is accepted.
  4. Use a packet "sniffer" program to find user names and passwords as they travel through networks.
  5. Search through a garbage bin behind the computer building in a university or corporate campus, find trash paper that lists user names and passwords.

A disgruntled employee can use his legitimate computer account and password for unauthorized uses of his employer's computer. This can be particularly damaging when the disgruntled employee is the computer system administrator, who knows master password(s) and can enter any user's file area. Such disgruntled employees can perpetrate an "inside job", working from within the employer's building, instead of accessing a computer via modem.

The computer voyeurs, like petty criminals who peek in other people's windows, generally hack into other people's computers for the thrill of it. In the 1970s and early 1980s, many of these computer voyeurs also used technology to make long-distance telephone calls for free, which technology also concealed their location when they were hacking into computers. Many of these voyeurs take a special thrill from hacking into military computers, bank computers, and telephone operating system computers, because the security is allegedly higher at these computers, so it is a greater technical challenge to hack into these machines.

The criminals who change or delete data, or who deliberately gobble large amounts of computer resources, have a more sinister motive and are capable of doing immense damage.

Of course, there is always the possibility that a computer voyeur will "accidentally" bumble around an unfamiliar system and cause appreciable damage to someone else's files or programs. Traditional criminal law in the USA places a great deal of emphasis on willful or intentional conduct, so such "accidental" damage would not satisfy the traditional requirement of mens rea (literally "guilty mind" or criminal intent). My personal opinion is that someone who deliberately hacks into someone else's computer should be accountable under criminal law for whatever damage is done by the unauthorized hacking, even if the damage is "accidental". In this regard, I would make an analogy to a homicide that occurs "accidentally" during the commission of a felony: the perpetrators are then charged with "felony murder": the intent to commit the hacking constitutes the malice or intent to cause the damage.

In the 1970s and early 1980s, a common reaction was that hackers were a minor nuisance, like teenagers throwing rolls of toilet paper into trees. Then, in August 1983, a group of young hackers in Milwaukee hacked into a computer at the Sloan-Kettering Cancer Institute in New York City. That computer stored records of cancer patients' radiation treatment. Altering files on that computer could have killed patients, which reminded everyone that hacking was a serious problem. This 1983 incident was cited by the U.S. Congress in the legislative history of a federal computer crime statute.
S. Rep. 99-432 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2480.

There is an interesting case under California state law for a criminal who improved his clients' credit rating. People v. Gentry, 285 Cal.Rptr. 591 (Cal.Ct.App. 1992).

altering websites

In recent years, there have been a large number of attacks on websites by hackers who are angry with the owner of the website. Victims of such attacks include various U.S. Government agencies, including the White House and FBI. Attacking the FBI website is like poking a lion with a stick. <grin>

In a typical attack, the hacker will delete some pages or graphics, then upload new pages with the same name as the old file, so that the hacker controls the message conveyed by the site.

This is not the worst kind of computer crime. The proper owner of the site can always close the website temporarily, restore all of the files from backup media, improve the security at the site, and then re-open the site. Nonetheless, the perpetrator has committed a computer crime by making an unauthorized use of someone else's computer or computer account.

The Internet is a medium for freely sharing information and opinions. However the criminals who trash other people's websites are acting as self-appointed censors who deny freedom of speech to those with whom they disagree. These criminals often make the self-serving excuse for their actions that they only attack sites sponsored by bad corporations or bad people. However, this excuse makes these criminals into vigilantes who serve as legislature, judge, jury, and executioner: arrogantly determining what is in the best interests of society.

One example of punishment for the crime of defacing a website is the case of Dennis M. Moran. On 9 March 2001, Moran (alias "Coolio"), a high school dropout, was sentenced in New Hampshire state court to nine months incarceration and ordered to pay a total of US$ 15000 restitution to his victims for defacing two websites:
  1. In November 1999, he defaced the website of DARE America, an organization that campaigns against use of illicit drugs, whose website was in Los Angeles, California.
  2. In February 2000, he defaced the website of RSA Security in Massachusetts.
  3. In February 2000, he made "unauthorized intrusions" into computers at four different U.S. Army and Air Force installations.
See the New Hampshire DoJ press release.

Denial of Service (DoS) Attacks

A denial of service attack occurs when an Internet server is flooded with a nearly continuous stream of bogus requests for webpages, thereby denying legitimate users an opportunity to download a page and also possibly crashing the webserver.

Criminals have developed a simple technique for executing a distributed DoS attack:
  1. The criminal first plants remote-control programs on dozens of computers that have broadband access to the Internet. The remote-control program will, at the command of the criminal, issue a nearly continuous series of pings to a specified victim's website.
  2. When the criminal is ready to attack, he instructs the programs to begin pinging a specific target address. The computers containing the remote-control programs act as "zombies".
  3. The victim computer responds to each ping, but because the zombie computers gave false source addresses for their pings, the victim computer is unable to establish a connection with the zombie computers. Because the victim computer waits for a response to its return ping, and because there are more zombie computers than victims, the victim computer becomes overwhelmed and either (a) does nothing except respond to bogus pings or (b) crashes.
  4. Typically, after one or two hours, the criminal instructs his programs to stop pinging the victim. This brief duration is not because the criminal is a nice person, but because long-duration attacks make it easier for engineers at the victim's website to promptly trace the source of the attacks.
This may sound sophisticated, but the remote-control programs, and instructions for using them, are readily available from many pro-hacker websites since June 1999. My essay, Tips for Avoiding Computer Crime, has specific suggestions for how you can use firewall software on your computer to prevent your computer from being used by criminals in DoS attacks on victims.

Another kind of DoS attack uses a so-called "ping of death" to exploit bugs in software on webservers.

A study during three weeks in February 2001, showed that there are about 4000 DoS attacks each week. Most DoS attacks are neither publicized in the news media nor prosecuted in courts.

David Dittrich, a senior security engineer at the University of Washington and expert on Unix system administration, has posted a large collection of links to resources on distributed DoS attacks.

The following is one case involving a famous series of DoS attacks: The above facts are taken from reports at CNN, CBC, CNEWS, and the sentence is reported at

2. malicious computer programs

The following are general terms for any computer program that is designed to harm its victim(s):
malicious code
malicious program
malware   (by analogy with "software")
rogue program
Malicious computer programs are divided into the following classes:
Some confusion about the distinction between a virus and a worm is caused by two distinctly different criteria:
  1. a virus infects an executable file, while a worm is a stand-alone program.

  2. a virus requires human action to propagate (e.g., running an infected program, booting from a disk that has infected boot sectors) even if the human action is inadvertent, while a worm propagates automatically.
For most viruses or worms, these two different criteria give the same result. However, there have been a few malicious programs that might be considered a virus by some and a worm by others. Ultimately, the taxonomy matters only to computer scientists who are doing research with these malicious programs.

The first computer virus found "in the wild" was written in 1986 in a computer store in Lahore, Pakistan. In the 1980s, computer viruses were generally spread by passing floppy disks from one user to another user. In the late 1990s, computer viruses were generally spread via the Internet, either in e-mail (e.g., a virus contained in a Microsoft Word macro, or a worm contained in an attachment to e-mail) or in programs downloaded from a website. The distribution of viruses via the Internet permitted a much more rapid epidemic, so that more computers could be infected in a shorter time than when floppy disks were used to spread the infection.

The first prosecution under the Federal computer crime statute, 18 USC § 1030, was for a release of a worm. Robert Tappan Morris, then a graduate student in computer science at Cornell University, released his worm into the Internet on 2 Nov 1988. The worm rapidly copied itself and effectively shut down the Internet. Morris was convicted of violating 18 USC §1030 in 1990 and the conviction was upheld in U.S. v. Morris, 928 F.2d 504 (2dCir. 1991), cert. denied, 502 U.S. 817 (1991).

My long discussion of a few famous malicious programs is in a separate essay, emphasizes the nonexistent or weak punishment of the authors of these programs.

There is a reported case under state law for inserting a logic bomb into custom software. Wisc. v. Corcoran, 522 N.W.2d 226 (Wisc.Ct.App. 1994).

"justification" for malicious programs

Designing and releasing malicious computer programs is not only unethical, but also unlawful. However, some people defend the authors of malicious code by offering one or more of the following justifications:
  1. The malicious code exposes security flaws in operating systems and applications software.
  2. It is the victim's fault if they are infected by a worm or virus that exploits a known security flaw, for which a patch is available.
  3. It is ok if the author of the malicious code does not alter or delete any of the victim's data files.
    No. The victim is still harmed by the cost of removing the malicious program, the costs of lost productivity during the removal of the malicious program, possible exposure of confidential information (e.g., either to a hacker who examines data files via a Trojan Horse program, or a malicious program that sends a document on the victim's computer to potential future victims), among other possible harms. Furthermore, the privacy and property rights of the victim have been violated by the author of malicious code. Any unauthorized access of a computer is, or should be, criminal, regardless of the perpetrator's intent once inside the computer.

  4. The virus/worm was a laboratory experiment gone awry.
    The Internet, including e-mail, is neither a laboratory nor a playground. Scientists, engineers, professors, businesses, governments, etc. depend on the routine functioning of the Internet for their work, distributing information, and for other public services. Anyone wishing to play with viruses or worms should use a quarantined system that is not connected to the Internet.

    An "experimenter" must not create a big mess that requires computer system administrators worldwide to devote much time to remove. In considering the actions of Morris, a graduate student at Cornell who released his worm into the Internet, a commission of five Cornell professors said:
    This was not a simple act of trespass analogous to wandering through someone's unlocked house without permission[,] but with no intent to cause damage. A more apt analogy would be the driving of a golf cart on a rainy day through most houses in a neighborhood. The driver may have navigated carefully and broken no china, but it should have been obvious to the driver that the mud on the tires would soil the carpets and that the owners would later have to clean up the mess.
    Theodore Eisenberg, David Gries, Juris Hartmanis, et al., The Computer Worm, A Report to the Provost of Cornell University ..., p. 7 (see also p. 40), Feb 1989. Summary reprinted in Communications of the ACM, Vol. 32, pp. 706-709, June 1989. Summary also reprinted in Peter J. Denning, editor, Computers Under Attack, Addison-Wesley Publishing Co., 1990. The above quote is on page 258 of Denning's book.

    It is self-serving to associate a criminal's actions with the prestige of a scientist who does an experiment. Scientists follow a professional code of ethics, in addition to behaving in a lawful way, and avoid harming other people. Scientists work together in a collegial way, with implicit trust. As pointed out by Eisenberg, et al. in The Computer Worm, pages 7, 25, 41, releasing malicious code is a violation of trust.

  5. The virus/worm was "accidentally" released.
    First, there is no acceptable reason to create malicious software that alters or deletes data files from the victim's hard disk, releases confidential information from the victim's computer along with a copy of the virus/worm to potential future victims, attempts to disable anti-virus software on the victim's computer, or any of the other harms that have been observed in real malicious programs. There is no rational reason to write a program that one intends never to use.

    Second, if one writes such a destructive program, then one must use extraordinary care (i.e., the same care that one takes with toxic chemicals, explosives, highly radioactive materials, etc.) to make certain that the program is never released. Society ought to demand that those who release malicious programs, even if the release is an "accident", be held legally responsible for the damage caused by their malicious programs.

  6. The author of the virus/worm did not know how rapidly the virus/worm would propagate.
    In my companion essay on Examples of Malicious Computer Programs, I explained why this excuse is bogus.

  7. Although not a common excuse offered by defenders of an author of a malicious computer program, the author himself often seems to believe that his virus/worm is proof of his programming ability.
    However, careful examination of famous malicious programs that have caused extensive damage shows that these programs commonly contain many programming errors (so-called "bugs"). Such bugs often prevent a malicious program from causing more damage; sometimes bugs make a program worse than its author probably intended. Either way, a program full of bugs is not evidence of programming skill. And, more importantly, someone who writes malicious programs is a criminal, not the type of person who an ethical employer would want to hire.

Such specious excuses for authors of malicious code were fairly common from professional programmers in the 1980s, but are less frequent now. The worm released into the Internet by Robert Morris in Nov 1988 seems to have jolted most computer professionals into realizing that ethics and law are essential to the computer profession. Now, specious excuses are mostly offered by criminals and their attorneys.

3. Harassment & Stalking

In general, the harasser intends to cause emotional distress and has no legitimate purpose to his communications. Harassment can be as simple as continuing to send e-mail to someone who has said they want no further contact with the sender. Harassment may also include threats, sexual remarks, pejorative labels (i.e., hate speech).

A particularly disturbing form of harassment is sending a forged e-mail that appears to be from the victim and contains racist remarks, or other embarrassing text, that will tarnish the reputation of the victim.

It is often difficult to get law enforcement personnel and prosecutors interested in harassment, unless threats of death or serious bodily harm are made, simply because the resources of the criminal justice system are strained by "more serious" criminal activities. I put "more serious" in quotation marks, because the victim of harassment certainly is adversely affected by the harassment, therefore it is a serious matter to the victim. But the law treats harassment as a misdemeanor, the group of less serious crimes.

4. Weak Punishment in USA

I have a general concern about the inability of the criminal justice system to either deter criminal conduct or protect society. This concern is particularly acute in the area of computer crime, where immense damage is being done to corporations by computer viruses and worms. Public safety is threatened by criminals who hack into the telephone system and crash 911 services, among other examples.

There are many theories that justify punishment of criminals. While severe punishment may not deter criminal conduct, punishment does express the outrage of decent society at criminal conduct.

One of the earliest reported cases in federal courts in the USA on computer crime was that of Robert Riggs.
U.S. v. Riggs, 739 F.Supp. 414 (N.D.Ill 1990), 743 F.Supp. 556 (N.D.Ill. 1990), aff'd, 967 F.2d 561 (11thCir. 1992).
Riggs was first convicted in 1986 for his unauthorized use of a computer and was sentenced to a mere 15 days of community service and placed on probation for 18 months. 967 F.2d at 562. In 1990 Riggs was indicted again for making unauthorized access to computers, during which he stole proprietary information from a telephone company. This time he was sentenced to 21 months in prison, followed by two years of "supervised release" during which time he was forbidden to either own or use any computer for his personal use. Riggs was allowed to use computers in his employment, if supervised by someone. This sentence was upheld on appeal. 967 F.2d at 563.

In March 1997, a young hacker disabled the telephone service at the Worcester, Massachusetts airport for six hours, which disabled the air-traffic control system and other critical services. This same hacker also copied patients' records from a computer in a pharmacy on four separate occasions in January, February, and March 1997. This hacker was the first juvenile to be prosecuted by the U.S. Government for computer crime. He pled guilty and was placed on probation for two years, was ordered to provide 250 hours of community service, and forfeited all of the computer equipment used during his criminal activity.

I have a long discussion of a few famous malicious programs and the legal punishment of their authors in a separate essay. The point made in that essay is that, out of approximately 61000 malicious programs for the Microsoft Windows operating system, there have been arrests and convictions of the author(s) of only five malicious programs:
  1. the author of a worm released in 1988,
  2. the author and distributors of the MBDF virus,
  3. the author of the Pathogen virus,
  4. the author of the Melissa virus, and
  5. the author of the Anna worm.
Except for the author of the Pathogen virus, each of these criminals received very light punishment.

5. Computer Crime Statutes in USA

There are many federal statutes in the USA that can be used to prosecute computer criminals:

State Statutes in USA

There is wide variation in state statutes on computer crime in the USA: in my opinion, most state statutes are not adequate to punish computer criminals.

California, Minnesota, and Maine are among the few states to prohibit explicitly release of a computer virus or other malicious program.
California Statutes, Title 13 (Penal Code), §§ 502(b)(10) and 502(c)(8).
Minnesota Statutes, §609.87(12) and §609.88(1)(c).
Maine Statutes, 17-A (Criminal Code), § 433(1)(C).
In states without an explicit statute, release of a malicious program would probably be prosecuted as "malicious mischief".

California also provides for the forfeiture of computer systems used in the commission of a computer crime. If the defendant is a minor, the parents' computer system can be forfeited.
California Statutes, Title 13 (Penal Code), §§ 502(g) and 502.01(a)(1)

In November 1996 and July 1997, I made comprehensive searches of the WESTLAW databases of reported cases in both state and federal courts in the USA on computer crimes. I was surprised to find that, in sharp contrast to most other areas of law, there was very little reported case law on computer crimes, except obscenity cases. I have the impression that most computer criminals who are apprehended plead guilty to a lesser offense (a so-called "plea bargain") and avoid a trial. Plea bargains are common the U.S.A., as they dispose of cases without large investments of prosecutorial and judicial time. In the specific area of computer crimes, prosecuting such a case would be difficult for prosecutors, because the jury would need to learn about complex technical matters. In addition to making life easier for prosecutors and judges, many victims (particularly banks and other corporations) may be embarrassed to admit that some teenager defeated their security features, thus these victims refuse to testify in court.

6. sue in tort

In addition to any criminal penalties, victim(s) of computer crimes can sue the perpetrator in tort. For example, unauthorized use of a computer system could be "trespass on chattels". A computer voyeur might also be sued in tort for invasion of privacy or disclosure of a trade secret. A harasser might be sued in tort for intentional infliction of emotional distress. There is also the possibility of a class action by corporate and personal victims against a person who wrote and initially released a computer virus.

The downside of such tort litigation is that the perpetrators are generally young people (often between 12 and 25 years of age) and have little assets that could be seized immediately to satisfy a judgment. On the other hand, judgments in the USA are generally valid for 20 years, so future income of the wrongdoer can be used to satisfy the judgment. Moreover, the publicity surrounding such a trial might impress potential hackers with the seriousness of such wrongful conduct and deter other potential hackers. In addition, such trials might express the outrage of society at the behavior of hackers.

Defendants between 7 and 14 y of age may be sued in tort, but their duty of care is generally less than an adult's duty. There is one exception, when children engage in an adult activity (e.g., fly an airplane), the law imposes an adult's duty of care on the child. Restatement (Second) Torts, § 283A, comment c (1965). In my opinion, there are good reasons why computer programming (e.g., design of a virus) or hacking qualifies as an "adult activity". However, there appear to be no reported court cases in the USA that have decided this issue.

There is another remedy in civil law, besides damages awarded in tort litigation: a victim can get a temporary restraining order (TRO), then an injunction, that enjoins continuance of wrongs (e.g., disclosure of proprietary or private data) that will cause irreparable harm or for which there is no adequate remedy at law.


One of the functions of the criminal justice system is to deter crime by other people. Journalists play an important role in this deterrence by reporting on the crime (and how people were harmed), arrest, trial, and sentence of the guilty criminals. One hopes that people contemplating computer crimes will read these reports by journalists, and say to themselves: "I should not write a computer virus, because I don't want to be put in prison like David Lee Smith," the author of the Melissa virus.

However, reports of computer crime by journalists are less than satisfactory:
  1. Journalists often glorify or praise the criminal suspect, by admiring his programming "talent", or even calling him a "genius".

    In the 1980s, most hackers committed fraud to get a username and password for a computer account, and then logged on to the computer without proper authorization, and browsed through files, copying some, deleting or altering others. Such work does not require any knowledge of computer programming, just a rudimentary knowledge of a few operating system commands. Since 2000, authors of malicious programs use resources readily available on the Internet to create a "new" computer virus or worm, or launch a denial of service attack. Again, such activities do not demonstrate a high level of proficiency in computer programming.

    It is an anti-social act for journalists to praise the exploits of hackers: hackers are criminals who deserve scorn and ostracism. And when hackers are publicly praised as geniuses, the wrong message is sent to serious students in computer science who behave ethically and who are ignored by journalists, despite the fact that the students are both smarter and more ethical than hackers.

  2. I have noticed that many online newspapers:
    1. devote considerable space to reporting the crime when it happens,
    2. describe the arrest of the criminal suspect in detail,
    3. but the trial of the suspect receives less attention from journalists,
    4. and the verdict and sentence often go unreported in the media.
    If punishment is to have a deterrent effect on other people, then the coverage of the trial, verdict, and sentence must be increased.

    Aside from my main point about deterrence of future crimes, by reporting of sentencing and punishment of computer criminals, there is another issue. The widespread reporting of the crime and the arrest of a suspect tarnishes the name of the suspect, by linking the crime and the suspect's name in people's minds. However, the suspect might later be found not guilty of the crime. The lack of reporting of the trial and its outcome provides no opportunity for an innocent suspect to rehabilitate his good name.

  3. Part of the problem is that many journalists who write about computer crime are themselves computer-illiterate. (Their ignorance shows in the technical mistakes made in their articles.)

    From the perspective of a computer-illiterate journalist, the work of a computer criminal may indeed be incomprehensible. Arthur C. Clarke said anything sufficiently advanced appears as magic. That may be, but it is unprofessional for journalists to write on subjects that they do not personally understand. News media hire journalists who understand economics and finance to report business news, and journalists who understand sports to report on sports, so why can't the news media hire journalists who understand computers to report on computer crime?


The fundamental issue in most computer crime is the criminals' lack of respect for the property or privacy of other people. I hope that society will recognize the seriousness of computer crime and demand more severe punishment for such criminals.

this document is at
My last search for case law on computer crime was in July 1997.
21 June 1999, revised 4 Sep 2002

My essay Tips for Avoiding Computer Crime, which essay includes links to websites on computer viruses, computer crime, and related topics, plus a list of good books on computer crime.

My discussion of a few famous malicious programs and the nonexistent or lenient punishment of their authors are contained in my separate essay.

return to my homepage